alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Obfuscated Sign In Landing Page 2023-06-22"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"\\\\x0D\\\\x0A\\\\x3C\\\\x68\\\\x65\\\\x61\\\\x64\\\\x3E\\\\x0D\\\\x0A\\\\x3C\\\\x74\\\\x69\\\\x74\\\\x6C\\\\x65\\\\x3E\\\\x0D\\\\x0A\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x53\\\\x69\\\\x67\\\\x6E\\\\x20\\\\x69\\\\x6E\\\\x20\\\\x74\\\\x6F\\\\x20\\\\x79\\\\x6F\\\\x75\\\\x72\\\\x20\\\\x61\\\\x63\\\\x63\\\\x6F\\\\x75\\\\x6E\\\\x74\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x20\\\\x3C\\\\x2F\\\\x74\\\\x69\\\\x74\\\\x6C\\\\x65\\\\x3E\\\\x0D\\\\x0A\\\\x09\\\\x09\\\\x09\\\\x0D\\\\x0A\\\\x3C\\\\x73\\\\x74\\\\x79\\\\x6C\\\\x65\\\\x3E\\\\x0D\\\\x0A\\\\x68\\\\x74\\\\x6D\\\\x6C"; fast_pattern; reference:md5,e73af0d91c496b615ace6c3aa04a4c88; classtype:credential-theft; sid:2046621; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_06_22, deployment Perimeter, confidence High, signature_severity Major, tag Phishing, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_22, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)